Enable CAC+MFA Keycloak Workflows

Need keycloak to have some sort of logical workflow to allow for CAC + MFA.

At registration time it is acceptable to require a user to have MFA, even if they have a CAC, but CAC must be optional. At login time, either MFA or CAC will be acceptable.

Nic has asked that a "simple" representation (aka step 1,2,3) be sent to him prior to implementation.